Windows Confidential: What You See Is What You See
Sometimes you just can’t prevent users from taking out a camera and snapping a photo of the monitor.
A customer recently reported finding a security vulnerability in the Microsoft Office Information Rights Management (IRM): “I am able to capture a screenshot of any confidential e-mail by following these simple steps. First, I open the e-mail message on the screen. Next, I use a screen capture program to take a screenshot. I expected to see the error message, ‘The screenshot feature is disabled when IRM-protected content is open. Close the IRM-protected document and try again.’”
This issue actually started generating a nontrivial amount of discussion, so I felt compelled to step in and stop the madness before it spiraled out of control. The screen capture application simply gets access to the screen (by calling GetDC(NULL)). Then it copies the contents into a bitmap using the BitBlt function.
We talked about this operation a few years ago in the article, “The Case of the Disappearing Cursor.” If I were a less-honest person, I would claim that the earlier article was intended to lay the groundwork for this one.
The IRM-protected document is just a collection of pixels on the screen. The graphics system doesn’t know, “Oh, wait, this pixel is special. Don’t let anybody read this pixel.”
Even if the graphics system enforced IRM-protected content at the pixel level, you could still bypass that protection. All you have to do is connect to the computer via Remote Desktop Connection (RDC) and press PrtSc on the client. RDC doesn’t know which pixels are supposed to be “protected” by the graphics system and which ones aren’t.
Even if RDC had a facility for specifying which pixels on the server are IRM-protected, you can still bypass that protection. Just take the Remote Desktop client and patch out the proposed “ProtectPixels” function. Or you could also write your own client that ignores the proposed “ProtectedPixels” flag and treats all pixels as unprotected.
Even if somehow the RDC server could detect that the client is not respecting the “ProtectedPixels” flag, or if the client has been compromised and is being prevented from protecting pixels, you can still bypass any protection. All you have to do is view the document via a Web site (for example, put it on your Exchange mailbox and use Outlook Web Access) and PrtSc the Web page. The Web browser certainly doesn’t know which pixels are IRM-protected or not.
Even if somehow the Web browser knew which pixels were IRM-protected and called “ProtectPixels” on those pixels, you could still take out a digital camera and snap photos of your monitor. Take several shots and use some image processing application to de-blur the result, or use a de-blurring attachment.
Even if somehow the monitor could be told to use a special frequency of light that disrupts digital cameras, you can still get around that protection. Just sit down and copy the words with paper and pencil. Memorize the contents of the document (or at least its basic meaning) and recite it to a friend.
IRM in Microsoft Office is not about presenting content with a guarantee that it can’t be reproduced by the recipient. It’s a deterrent, not a security boundary. Its goal is to make it harder for people to accidentally violate your document’s information policy (by doing something like forwarding an e-mail message to somebody outside the project team).
There’s an explanation at office.microsoft.com, stating that IRM “cannot protect information from every threat, every person or every set of circumstances.” It goes on to explain that, “to a determined, technologically sophisticated, and well-paid corporate spy, IRM might be little more than a temporary setback.” In fact, that Web page specifically calls out that it does not block screen capture tools.
In other words, the answer to the customer’s report is, “Yes, you can use that technique to make a copy of content protected by IRM. There’s also no technical way of stopping a user from memorizing an e-mail message and repeating it to an unauthorized person. If you don’t trust someone with confidential information, then don't share confidential information with them.”
Raymond Chen's Web site, The Old New Thing, and identically titled book (Addison-Wesley, 2007) deal with Windows history, Win32 programming and PowerPoint Karaoke.